July 28, 2016
This Trojan, named Android.Spy.305.origin, is implemented as an advertising SDK platform that is used to generate income from application downloads. Doctor Web specialists registered at least seven developers who have embedded Android.Spy.305.origin into their apps: MaxMitek Inc, Fatty Studio, Gig Mobile, TrueApp Lab, Sigourney Studio, Doril Radio.FM, Finch Peach Mobile Apps, and Mothrr Mobile Apps.
Among these malicious applications are live wallpapers, image catalogs, utilities, photo editors, radio applications, and so on. Thus far Doctor Web’s security researchers have registered 155 dangerous applications, which have already been downloaded over 2.8 million times. Although the company informed Google as to which applications contain Android.Spy.305.origin, many of them are still available for download.
Once one of these applications is launched, Android.Spy.305.origin connects to its command and control (C&C) server and receives a command to download an additional module—Android.Spy.306.origin. This component contains the main malicious payload that Android.Spy.305.origin uses with the help of the DexClassLoader class.
The Trojan then sends the following data to the C&C server:
- Email address connected to the Google user account
- List of installed applications
- Current system language
- Name of the device manufacturer
- Mobile device model
- IMEI identifier
- OS version
- Screen resolution
- Mobile network operator
- Name of the application containing the Trojan
- Developer’s ID
- SDK platform’s version
Then Android.Spy.305.origin starts delivering annoying advertisements by displaying them on top of running applications and the operating system interface. In addition, it can prompt users to download various software programs and scare them into thinking that their devices are infected with malware programs.
Android.Spy.305.origin was found in the following programs:
- com.greenapp.slowmotion
- com.maxmitek.livewallpapernight
- com.asem.contactfilter
- com.allinOne.openquickly
- com.dorilradio.pe
- com.fusianart.takescreenshots
- com.maxmitek.livewallpapergod
- com.gigmobile.booster
- com.mobilescreen.recorder
- com.mobilescreen.capture
- com.fattys.automaticcallrecording
- com.maxmitek.livewallpaperbutterfly
- com.lollicontact.caller
- com.fusianart.doubletapscreen
- com.maxmitek.livewallpaperrain
- com.dorilradio.ru
- com.appworks.browser
- com.maxmitek.livewallpaperwinter
- com.sgfatty.videoplayerpro
- com.trueapppower.battery
- com.fattystudiocontacts.bassbooster
- com.mobiletool.rootchecker
- com.magicapp.reversevideo
- com.maxmitek.livewallpaperchristmas
- com.live3d.wallpaperlite
- com.maxmitek.flowerwallpaper
- com.maxmitek.livewallpaperaquariumfishfish
- com.maxmitek.nightwallpapers
- com.vmh.crackyourscreen
- com.nicewallpaper.s6wallpaper
- com.maxmitek.sunsetwallpaper
- com.nicewallpaper.supercar
- com.maxmitek.lovewallpaper
- com.maxmitek.livewallpaperdolphins
- com.nicewallpaper.beautigirl
- com.maxmitek.beachwallpaper
- com.maxmitek.livewallpapernewyear
- com.maxmitek.livewallpapergalaxy
- com.maxmitek.livewallpaper3d
- com.maxmitek.livewallpaperwaterfall
- com.maxmitek.wallpaperhalloween
- com.maxmitek.catwallpaper
- com.fattysgui.beautyfont
- com.fattystudioringtone.mp3cutter
- com.fattystudio.convertertomp3
- com.fattystudio.pictureeditor
- com.gig.wifidoctor
- com.minibackup.contacttranfer
- com.greenapp.voicerecorder
- com.glade.batterysaver
- com.beatstudio.awcapture
- com.mothrrmobile.volume
- com.trueapplab.fastlauncher
- net.camspecial.clonecamera
- com.sunny.text2photo
- com.converttool.videomp3
- com.foto.proeditor
- com.appworks.djmixonline
- com.appworksui.myfonts
- com.appworks.crackyourscreen
- com.appworkscontact.instadownloader
- com.rartool.superextract
- com.easytool.screenoff
- net.electronic.alarmclock
- com.finchpeach.heartrate
- com.finchpeach.weatherpro
- net.dotcom.cpuinfo
- com.finchpeach.wifihotspotfree
- net.brscreen.filter
- com.evin.translator
- com.dorilradio.ua
- com.dorilradio.ir
- com.dorilradio.pk
- com.dorilradio.sm
- com.dorilradio.me
- com.dorilradio.sv
- com.dorilradio.sr
- com.dorilradio.sk
- com.dorilradio.sl
- com.dorilradio.sg
- com.dorilradio.py
- com.dorilradio.pr
- com.dorilradio.pa
- com.dorilradio.mc
- com.dorilradio.lu
- com.dorilradio.lt
- com.dorilradio.lv
- com.dorilradio.li
- com.dorilradio.de
- com.dorilradio.kr
- com.dorilradio.is
- com.dorilradio.il
- com.dorilradio.hn
- com.dorilradio.ht
- com.dorilradio.gh
- com.dorilradio.hn
- com.dorilradio.ht
- com.dorilradio.gh
- com.dorilradio.ec
- com.dorilradio.fi
- com.dorilradio.doo
- com.dorilradio.cz
- com.dorilradio.cy
- com.dorilradio.cr
- com.dorilradio.bo
- com.dorilradio.th
- com.dorilradio.br
- com.dorilradio.gr
- com.dorilradio.es
- com.dorilradio.nl
- com.dorilradio.be
- com.dorilradio.id
- com.dorilradio.pl
- com.dorilradio.tr
- com.dorilradio.mx
- com.dorilradio.gt
- com.dorilradio.hu
- com.dorilradio.nz
- com.dorilradio.pt
- com.dorilradio.ch
- com.dorilradio.ro
- com.dorilradio.rs
- com.dorilradio.eg
- com.dorilradio.lk
- com.dorilradio.my
- com.dorilradio.tn
- com.dorilradio.tw
- com.dorilradio.no
- com.dorilradio.za
- com.dorilradio.ba
- com.dorilradio.bg
- com.dorilradio.hr
- com.dorilradio.dk
- com.dorilradio.in
- com.dorilradio.ie
- com.dorilradio.ph
- com.dorilradio.ar
- com.dorilradio.cl
- com.dorilradio.co
- com.dorilradio.ve
- com.dorilradio.sn
- com.dorilradio.uy
- com.dorilradio.ma
- com.dorilradio.se
- com.dorilradio.ng
- com.dorilradio.dz
- com.dorilradio.ke
- com.dorilradio.it
- com.dorilradio.cn
- com.dorilradio.ca
- com.dorilradio.jp
- com.dorilradio.fr
- com.dorilradio.au
- com.dorilradio.uk
- com.dorilradio.us
Despite the fact that Google Play is an official and reliable source of software for Android, various Trojans can still periodically be found in Google Play applications. Thus, Doctor Web’s specialists recommend that users pay attention to negative feedback posted by other users and download software created by reliable developers. Dr.Web for Android products successfully detect and remove Android.Spy.305.origin, and, therefore, this malicious program poses no threat to Dr.Web users.
Tell us what you think
To ask Doctor Web’s site administration about a news item, enter @admin at the beginning of your comment. If your question is for the author of one of the comments, put @ before their names.
Other comments